Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques

US 9,088,601 B2
Filed: 11/30/2011
Issued: 07/21/2015
Est. Priority Date: 12/01/2010
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for determining whether a software application is malicious, comprising:

extracting a feature vector from said software application;

transmitting said feature vector from said software application to a server application;

receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector;

extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed;

transmitting said metadata and contextual information to said server application, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system;

receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information;

computing a generic fingerprint for the software application;

transmitting said generic fingerprint to said server application; and

receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and

performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, methods, components, and systems that use important contextual information from a client system (such as recent history of events on that system), machine learning techniques, the automated deployment of generic signatures, and combinations thereof, to detect malicious software. The disclosed invention provides a significant improvement with regard to automation compared to previous approaches.

76 Citations

View as Search Results

10 Claims

1. A computer implemented method for determining whether a software application is malicious, comprising:
- extracting a feature vector from said software application;
  
  transmitting said feature vector from said software application to a server application;
  
  receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector;
  
  extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed;
  
  transmitting said metadata and contextual information to said server application, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system;
  
  receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information;
  
  computing a generic fingerprint for the software application;
  
  transmitting said generic fingerprint to said server application; and
  
  receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and
  
  performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint.

2. A computer implemented method for determining whether a software application is malicious, comprising:
- receiving at a server application information from a client application concerning;
  
  (i) a feature vector from said software application;
  
  (ii) metadata about the application and contextual information about a system on which the software application may be installed, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; and
  
  (iii) a generic fingerprint for the software application;
  
  applying a machine-learning derived classification algorithm to the feature vector, if feature vector information is received from the client application;
  
  examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system;
  
  determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client application; and
  
  making a determination as to whether the software application should be deemed malicious with regard to the client application; and
  
  transmitting to the client application information generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint and concerning the determination as to whether the software application should be deemed malicious.
- View Dependent Claims (3, 4, 5)
- - 3. The computer implemented method according to claim 2, wherein said metadata is selected from the group consisting of traditional fingerprints and generic signatures.
  - 4. The computer implemented method according to claim 2, wherein said server application and said client application reside on separate and remote computing devices.
  - 5. The computer implemented method according to claim 2, wherein said client application continuously gathers contextual information.

6. Non-transitory computer readable storage medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for:
- extracting a feature vector from said software application;
  
  transmitting said feature vector to a server application;
  
  receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said feature vector;
  
  extracting metadata about the software application and gathering contextual information about a system on which the software application may be installed;
  
  transmitting said metadata and contextual information to the server application;
  
  receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said metadata and contextual information, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system;
  
  computing a generic fingerprint for the software application;
  
  transmitting said generic fingerprint to said server application; and
  
  receiving information from said server application relating to a determination as to whether the software application is benign or malicious based, at least in part, on said generic fingerprint; and
  
  performing an action with respect to the software application based on the information received from the server application and that was generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint.

7. Non-transitory computer readable storage medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for:
- receiving at a server application information from a client application concerning;
  
  (i) a feature vector from said software application;
  
  (ii) metadata about the software application and contextual information about a system on which the software application may be installed, wherein the contextual information comprises websites visited by a client system and a geographic location of the client system; and
  
  (iii) a generic fingerprint for the software application;
  
  applying a machine-learning derived classification algorithm to the feature vector, if feature vector information is received from the client system;
  
  examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system;
  
  determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client system;
  
  making a determination as to whether the software application should be deemed malicious with regard to the client application; and
  
  transmitting to the client application information generated based on the feature vector, the metadata, the contextual information, and the generic fingerprint and concerning the determination as to whether the software application should be deemed malicious to.
- View Dependent Claims (8, 9, 10)
- - 8. The non-transitory computer readable storage medium according to claim 7, wherein said metadata is selected from the group consisting of traditional fingerprints and generic signatures.
  - 9. The non-transitory computer readable storage medium according to claim 7, wherein said server application and said client application reside on separate and remote computing devices.
  - 10. The non-transitory computer readable storage medium according to claim 7, wherein said client application continuously gathers contextual information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Friedrichs, Oliver, Huger, Alfred, O'Donnell, Adam J.
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/308,539
Publication Number

US 20120210423A1
Time in Patent Office

1,329 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/564 by virus signature recognition

H04L 63/1416 Event detection, e.g. attac...

Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for detecting malicious software through contextual convictions, generic signatures and machine learning techniques

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others